And no, it's not linking statically to the system copy, it has its own source files it seems. Fantastic.
Why do we provide only static libassuan version? Is there any real problems with linking software with shared libassuan?
Upstream is upstream for both libassuan and pinentry. No idea why they provide libassuan within pinentry but usage of system libassuan should be supported by upstream first.
These bugs need to stay open until the problem is solved, whether by upstream or us, because we use the bugs to track issues in case of security bugs.
(In reply to comment #3) > These bugs need to stay open until the problem is solved, whether by > upstream or us, because we use the bugs to track issues in case of security > bugs. Having a security bug will automatically trigger a CVE for all effected upstream components. I don't see any reason to keep this open. But not that it is at any harm.
Created attachment 405346 [details, diff] pinentry-0.9.4-r2.ebuild.diff Good news from upstream, bundled assuan was removed per following commit: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=pinentry.git;a=commit;h=302903f76b8d62b1e07219a203f7219cb3aff7d8
Created attachment 405348 [details, diff] pinentry-0.9.4-system-libassuan-p1.patch patch sliced in two halves so repoman is happy.
Created attachment 405350 [details, diff] pinentry-0.9.4-system-libassuan-p2.patch
Thanks for the heads up! We will wait for the next release.
For tracking reference, the ML discussion on this is at http://lists.gnupg.org/pipermail/gnupg-devel/2015-June/029932.html
Closing, this is included in 0.9.5 which is in tree